[libreoffice] 03/07: add polygon array bounds checking

Rene Engelhard rene at moszumanska.debian.org
Thu Jul 27 19:17:15 UTC 2017 

This is an automated email from the git hooks/post-receive script.

rene pushed a commit to tag libreoffice_3.5.7_0ubuntu13
in repository libreoffice.

commit 46ad8e68f86d06957a57f0d959755cee5bd0b0b5
Author: Bjoern Michaelsen <bjoern.michaelsen at canonical.com>
Date:   Wed Jul 27 12:17:14 2016 +0200

    add polygon array bounds checking
---
 changelog                |  9 ++++++
 patches/poly-bounds.diff | 81 ++++++++++++++++++++++++++++++++++++++++++++++++
 patches/series           |  1 +
 3 files changed, 91 insertions(+)

diff --git a/changelog b/changelog
index 2edbf89..c7afe36 100644
--- a/changelog
+++ b/changelog
@@ -1,3 +1,12 @@
+libreoffice (1:3.5.7-0ubuntu12~precise1) precise; urgency=medium
+
+  * SECURITY UPDATE: possible arbritrary code execution via out-of-bounds
+    polygon array
+    - debian/patches/poly-bounds.diff: check polygon array bounds
+    - CVE-2016-1513
+
+ -- Bjoern Michaelsen <bjoern.michaelsen at canonical.com>  Wed, 27 Jul 2016 09:48:57 +0200
+
 libreoffice (1:3.5.7-0ubuntu11) precise-security; urgency=low
 
   * SECURITY UPDATE: Denial of service and possible arbitrary code execution
diff --git a/patches/poly-bounds.diff b/patches/poly-bounds.diff
new file mode 100644
index 0000000..afd7598
--- /dev/null
+++ b/patches/poly-bounds.diff
@@ -0,0 +1,81 @@
+From 9472ec62d714ac477b28392c8a291067b5511f6c Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?Caol=C3=A1n=20McNamara?= <caolanm at redhat.com>
+Date: Wed, 10 Sep 2014 14:41:42 +0100
+Subject: [PATCH] clip PolyPolygon::Insert on .svm load
+
+valgrind + bff
+
+(cherry picked from commit fd64d444b730f6cb7216dac8f6e3f94b97d7ab60)
+
+Conflicts:
+	tools/source/generic/poly2.cxx
+
+Change-Id: Ib3ed8a6e518c0686f8cbeaf021b9ca3a07005032
+Reviewed-on: https://gerrit.libreoffice.org/11382
+Reviewed-by: Michael Stahl <mstahl at redhat.com>
+Tested-by: Michael Stahl <mstahl at redhat.com>
+---
+ tools/source/generic/poly2.cxx | 8 ++++----
+ vcl/source/gdi/metaact.cxx     | 6 ++++++
+ 2 files changed, 10 insertions(+), 4 deletions(-)
+
+diff --git a/tools/source/generic/poly2.cxx b/tools/source/generic/poly2.cxx
+index aa732f4..2641d5e8 100644
+--- a/tools/source/generic/poly2.cxx
++++ b/tools/source/generic/poly2.cxx
+@@ -219,7 +219,7 @@ void PolyPolygon::Insert( const Polygon& rPoly, sal_uInt16 nPos )
+ void PolyPolygon::Remove( sal_uInt16 nPos )
+ {
+     DBG_CHKTHIS( PolyPolygon, NULL );
+-    DBG_ASSERT( nPos < Count(), "PolyPolygon::Remove(): nPos >= nSize" );
++    assert(nPos < Count() && "PolyPolygon::Remove(): nPos >= nSize");
+ 
+     if ( mpImplPolyPolygon->mnRefCount > 1 )
+     {
+@@ -239,7 +239,7 @@ void PolyPolygon::Remove( sal_uInt16 nPos )
+ void PolyPolygon::Replace( const Polygon& rPoly, sal_uInt16 nPos )
+ {
+     DBG_CHKTHIS( PolyPolygon, NULL );
+-    DBG_ASSERT( nPos < Count(), "PolyPolygon::Replace(): nPos >= nSize" );
++    assert(nPos < Count() && "PolyPolygon::Replace(): nPos >= nSize");
+ 
+     if ( mpImplPolyPolygon->mnRefCount > 1 )
+     {
+@@ -256,7 +256,7 @@ void PolyPolygon::Replace( const Polygon& rPoly, sal_uInt16 nPos )
+ const Polygon& PolyPolygon::GetObject( sal_uInt16 nPos ) const
+ {
+     DBG_CHKTHIS( PolyPolygon, NULL );
+-    DBG_ASSERT( nPos < Count(), "PolyPolygon::GetObject(): nPos >= nSize" );
++    assert(nPos < Count() && "PolyPolygon::GetObject(): nPos >= nSize");
+ 
+     return *(mpImplPolyPolygon->mpPolyAry[nPos]);
+ }
+@@ -617,7 +617,7 @@ Rectangle PolyPolygon::GetBoundRect() const
+ Polygon& PolyPolygon::operator[]( sal_uInt16 nPos )
+ {
+     DBG_CHKTHIS( PolyPolygon, NULL );
+-    DBG_ASSERT( nPos < Count(), "PolyPolygon::[](): nPos >= nSize" );
++    assert(nPos < Count() && "PolyPolygon::[](): nPos >= nSize");
+ 
+     if ( mpImplPolyPolygon->mnRefCount > 1 )
+     {
+diff --git a/vcl/source/gdi/metaact.cxx b/vcl/source/gdi/metaact.cxx
+index 6d7ac00..c1c2676 100644
+--- a/vcl/source/gdi/metaact.cxx
++++ b/vcl/source/gdi/metaact.cxx
+@@ -1192,6 +1192,12 @@ void MetaPolyPolygonAction::Read( SvStream& rIStm, ImplMetaReadData* )
+             rIStm >> nIndex;
+             Polygon aPoly;
+             aPoly.Read( rIStm );
++            if (nIndex >= maPolyPoly.Count())
++            {
++                SAL_WARN("vcl.gdi", "svm contains polygon index " << nIndex
++                         << " outside possible range " << maPolyPoly.Count());
++                continue;
++            }
+             maPolyPoly.Replace( aPoly, nIndex );
+         }
+     }
+-- 
+2.7.4
+
diff --git a/patches/series b/patches/series
index 2c10ae8..8da4485 100644
--- a/patches/series
+++ b/patches/series
@@ -74,3 +74,4 @@ lwpfix3.diff
 lwpfix4.diff
 lwpfix5.diff
 rtf-use-after-free.diff
+poly-bounds.diff

-- 
Alioth's /usr/local/bin/git-commit-notice on /srv/git.debian.org/git/pkg-openoffice/libreoffice.git

More information about the Pkg-openoffice-commits mailing list